1. Field of the Invention
The present invention is directed to technology for issuing electronic certificates.
2. Description of the Related Art
Electronic certificates have become a popular mechanism for establishing secure communications over a network. Certificates contain information about the certificate holder, including a public key for performing encryption. The certificate holder maintains a secret private key that corresponds to the public key. Members of the public employ the public key to encrypt communications sent to the certificate holder, and the certificate holder uses the private key to decrypt the encrypted communications. By exchanging certificates, individuals can share public keys for engaging in secure network communications.
In organizations, such as companies, many individuals have electronic certificates for carrying on secure communications inside and outside of the organization. In some instances, affiliates outside the organization have certificates for engaging in secure communications with the organization. Different members and affiliates of the organization have varying levels of need for certificates. For example, an officer of the organization typically engages in many confidential communications and undoubtedly has a need for an electronic certificate. On the other hand, an entry level member of the organization may not have access to much confidential information—making the need for a certificate less obvious.
It is desirable for the organization to manage the enrollment, renewal, and revocation of certificates, so standards can be established for different types of affiliates and members of the organization. In the above example, it would be desirable for the organization to automatically issue a certificate to the officer upon request, while requiring the entry level member to obtain a superior's approval.
With the growth of networking and other information technologies, Identity Systems have become popular for managing organizations' identity information. In general, an Identity System provides for the creation, removal, editing and other management of identity information stored in various types of data stores. The identity information pertains to users, groups, organizations and things. For each entry in the data store, a set of attributes is stored. For example, the attributes stored for a user may include a name, address, employee number, telephone number, email address, user ID and password. The Identity System can also manage access privileges that govern the subject matter an entity can view, create, modify or use in the Identity System.
Traditional Identity Systems, however, have not managed the issuance, renewal or revocation of electronic certificates for an organization's members and affiliates. In many circumstances, organizations have refrained from controlling the certificate enrollment, renewal, and revocation processes—allowing organization members and affiliates to obtain, renew, and revoke certificates on an individual basis with third parties. This can result in the organization paying for a certificate that is issued to an entity that the organization may not recognize as needing the certificate.
It is desirable to employ an Identity System to centrally manage certificate enrollment, renewal, and revocation.